Vulnerability Forecast Update: Navigating the AI Epoch (www.first.org)

A recent update from the FIRST Forecasting team highlights a significant increase in the projected number of Common Vulnerabilities and Exposures (CVEs) for 2026, now estimated at approximately 66,000, up 46.3% from previous forecasts. The rise is largely attributed to advancements in AI-assisted discovery tools, such as Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which have accelerated the identification of software flaws. Despite this surge in detected vulnerabilities, the report emphasizes that the actual exploitability of these vulnerabilities remains stable, suggesting that the software ecosystem is not experiencing a crisis but rather adapting to new dynamics of vulnerability management. The team underscores the need for software maintainers to embrace automated tools and dynamic cataloging practices, particularly given the growing prevalence of ephemeral software generated by AI. They advocate for a shift in vulnerability management strategies to focus more on the contextual exploitability of vulnerabilities, rather than merely tracking their quantity. As defensive AI tools emerge in response to the increasing number of exploits, organizations are encouraged to enhance their processes and budgeting based on software growth, reflecting the diverse landscape of assets rather than solely the rising CVEs. This evolution signals a crucial adaptation for the AI/ML community as reliance on AI tools shapes vulnerability discovery and remediation practices.